The incident took place back in March but users were notified months later.
Educational content producer Pearson PLC was hacked. As a result, the data from thirteen thousand accounts, which belonged to schools and universities primarily based on the US, was stolen.
Hackers took advantage of a vulnerability in the AIMSweb 1.0 system, a tool which monitors the progress of students through periodical assessment.
Pearson declared not finding evidence of misuse of the stolen data. They conveyed this information to their clients just a few days ago in a media release titled “Pearson customer notification.”
The company provided limited information about the incident, but the Wall Street Journal reported that the FBI informed Pearson of the breach as early as March this year. The company’s delay in informing its clients about the hacking raises concerns. According to the European Union’s General Data Protection Regulation, all organizations must report certain types of data breaches within 72 hours of becoming aware of the breach.
Pearson declared it impossible to know the full number of people affected by this cyberattack, but the Wall Street Journal estimated the magnitude of the damage. The 13,000 accounts reached by the hackers were not individual accounts, they were institutional. Each school or university who had an account also had thousands of students who used its services.
To get an idea of how many people could have been affected by the hack, the Journal revealed that in just one school district, the breach had compromised the data of 114,000 students. Multiplied by the 13,000 affected accounts, the final numbers could easily reach millions across multiple school districts.
The data stolen by the hackers includes usernames, dates of birth, and in some cases emails. Pearson has already issued an apology to users affected by the hack and has offered complimentary credit monitoring services as a precautionary measure.